> ## Documentation Index
> Fetch the complete documentation index at: https://docs.walletconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate requests to the WalletConnect Pay API with API keys.

Every request to the WalletConnect Pay API is authenticated with an API key, passed in the `Api-Key` header:

```bash theme={null}
curl "https://api.pay.walletconnect.com/v1/merchants" \
  -H "Api-Key: $WCP_API_KEY"
```

API keys are created and managed in the [dashboard](https://merchant.pay.walletconnect.com/en/api-keys). A key is shown only once at creation — store it in a secret manager. Anyone with the key can act on behalf of your account.

## Test and live keys

Your account has two kinds of keys, one for each mode:

| Key prefix  | Mode     | Behavior                                                                     |
| ----------- | -------- | ---------------------------------------------------------------------------- |
| `wcp_test_` | **Test** | Payments are simulated; no funds move. See [Test mode](/payments/test-mode). |
| `wcp_`      | **Live** | Real payments with on-chain settlement.                                      |

The key is the **only** thing that selects test or live. Both key types work against the same base URL and the same endpoints, and there is no test flag or mode parameter on any request.

<Warning>
  Responses do not say whether a resource is test or live — that's determined by the key that created it.
</Warning>

## Errors

| Status             | Meaning                                                             |
| ------------------ | ------------------------------------------------------------------- |
| `401 Unauthorized` | The key is missing, malformed, or revoked.                          |
| `403 Forbidden`    | The key is valid but lacks permission for this account or resource. |

## Key safety

* **Never expose keys in client-side code.** All API calls should be made from your backend.
* **Use test keys everywhere except production.** Development, CI, and staging should use `wcp_test_` keys.
* **Rotate compromised keys immediately** from the [dashboard](https://merchant.pay.walletconnect.com/en/api-keys).
